draft-ietf-httpbis-rfc6265bis-00.txt   draft-ietf-httpbis-rfc6265bis-latest.txt 
HTTP Working Group A. Barth HTTP Working Group A. Barth
Internet-Draft M. West Internet-Draft M. West
Intended status: Standards Track Google, Inc Obsoletes: 6265 (if approved) Google, Inc
Expires: April 13, 2017 October 10, 2016 Intended status: Standards Track March 30, 2017
Expires: October 1, 2017
HTTP State Management Mechanism HTTP State Management Mechanism
draft-ietf-httpbis-rfc6265bis-00 draft-ietf-httpbis-rfc6265bis-latest
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. This document obsoletes RFC 2965. on the Internet. This document obsoletes RFC 2965.
Status of this Memo Note to Readers
Discussion of this draft takes place on the HTTP working group
mailing list (ietf-http-wg@w3.org), which is archived at
https://lists.w3.org/Archives/Public/ietf-http-wg/ .
Working Group information can be found at http://httpwg.github.io/ ;
source code and issues list for this draft can be found at
https://github.com/httpwg/http-extensions/labels/6265bis .
Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 13, 2017. This Internet-Draft will expire on October 1, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . . 5 2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5
2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 5 2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 5
2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 7
4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 8 4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 8
4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . . 9 4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 8
4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . 9 4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 8
4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 10 4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 10
4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 13
4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 13 4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 13
5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 14 5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 13
5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 14 5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 14
5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 14 5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . . 15 5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 15
5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 16 5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 16
5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . . 16 5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 16
5.2. The Set-Cookie Header . . . . . . . . . . . . . . . . . . 17 5.2. The Set-Cookie Header . . . . . . . . . . . . . . . . . . 17
5.2.1. The Expires Attribute . . . . . . . . . . . . . . . . 18 5.2.1. The Expires Attribute . . . . . . . . . . . . . . . . 19
5.2.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 19 5.2.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 19
5.2.3. The Domain Attribute . . . . . . . . . . . . . . . . . 19 5.2.3. The Domain Attribute . . . . . . . . . . . . . . . . 19
5.2.4. The Path Attribute . . . . . . . . . . . . . . . . . . 20 5.2.4. The Path Attribute . . . . . . . . . . . . . . . . . 20
5.2.5. The Secure Attribute . . . . . . . . . . . . . . . . . 20 5.2.5. The Secure Attribute . . . . . . . . . . . . . . . . 20
5.2.6. The HttpOnly Attribute . . . . . . . . . . . . . . . . 20 5.2.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 20
5.3. Storage Model . . . . . . . . . . . . . . . . . . . . . . 20 5.3. Storage Model . . . . . . . . . . . . . . . . . . . . . . 20
5.4. The Cookie Header . . . . . . . . . . . . . . . . . . . . 23 5.4. The Cookie Header . . . . . . . . . . . . . . . . . . . . 23
6. Implementation Considerations . . . . . . . . . . . . . . . . 24 6. Implementation Considerations . . . . . . . . . . . . . . . . 25
6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . . 24 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.2. Application Programming Interfaces . . . . . . . . . . . . 25 6.2. Application Programming Interfaces . . . . . . . . . . . 25
6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 25 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 26
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 25 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 26
7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 26 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 26
7.2. User Controls . . . . . . . . . . . . . . . . . . . . . . 26 7.2. User Controls . . . . . . . . . . . . . . . . . . . . . . 27
7.3. Expiration Dates . . . . . . . . . . . . . . . . . . . . . 27 7.3. Expiration Dates . . . . . . . . . . . . . . . . . . . . 27
8. Security Considerations . . . . . . . . . . . . . . . . . . . 27 8. Security Considerations . . . . . . . . . . . . . . . . . . . 28
8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 27 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 28
8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 27 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 28
8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . . 28 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 29
8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 29 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 29
8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . . 29 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 30
8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . . 30 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 31
8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 31 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 31
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32
9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . 31 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 32
9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . . 31 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 32
9.3. Cookie2 . . . . . . . . . . . . . . . . . . . . . . . . . 31 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 32
9.4. Set-Cookie2 . . . . . . . . . . . . . . . . . . . . . . . 32 10.1. Normative References . . . . . . . . . . . . . . . . . . 32
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32 10.2. Informative References . . . . . . . . . . . . . . . . . 33
10.1. Normative References . . . . . . . . . . . . . . . . . . . 32 Appendix A. Changes since draft-ietf-httpbis-rfc6265bis-00 . . . 34
10.2. Informative References . . . . . . . . . . . . . . . . . . 33 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 35
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 34 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 34
1. Introduction 1. Introduction
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
Using the Set-Cookie header field, an HTTP server can pass name/value Using the Set-Cookie header field, an HTTP server can pass name/value
pairs and associated metadata (called cookies) to a user agent. When pairs and associated metadata (called cookies) to a user agent. When
the user agent makes subsequent requests to the server, the user the user agent makes subsequent requests to the server, the user
agent uses the metadata and other information to determine whether to agent uses the metadata and other information to determine whether to
return the name/value pairs in the Cookie header. return the name/value pairs in the Cookie header.
skipping to change at page 9, line 27 skipping to change at page 9, line 14
set-cookie-header = "Set-Cookie:" SP set-cookie-string set-cookie-header = "Set-Cookie:" SP set-cookie-string
set-cookie-string = cookie-pair *( ";" SP cookie-av ) set-cookie-string = cookie-pair *( ";" SP cookie-av )
cookie-pair = cookie-name "=" cookie-value cookie-pair = cookie-name "=" cookie-value
cookie-name = token cookie-name = token
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
; US-ASCII characters excluding CTLs, ; US-ASCII characters excluding CTLs,
; whitespace DQUOTE, comma, semicolon, ; whitespace DQUOTE, comma, semicolon,
; and backslash ; and backslash
token = token token = <token, defined in [RFC2616], Section 2.2>
; defined in [RFC2616], Section 2.2
cookie-av = expires-av / max-age-av / domain-av / cookie-av = expires-av / max-age-av / domain-av /
path-av / secure-av / httponly-av / path-av / secure-av / httponly-av /
extension-av extension-av
expires-av = "Expires=" sane-cookie-date expires-av = "Expires=" sane-cookie-date
sane-cookie-date = rfc1123-date sane-cookie-date =
; defined in [RFC2616], Section 3.3.1 <rfc1123-date, defined in [RFC2616], Section 3.3.1>
max-age-av = "Max-Age=" non-zero-digit *DIGIT max-age-av = "Max-Age=" non-zero-digit *DIGIT
; In practice, both expires-av and max-age-av ; In practice, both expires-av and max-age-av
; are limited to dates representable by the ; are limited to dates representable by the
; user agent. ; user agent.
non-zero-digit = %x31-39 non-zero-digit = %x31-39
; digits 1 through 9 ; digits 1 through 9
domain-av = "Domain=" domain-value domain-av = "Domain=" domain-value
domain-value = <subdomain> domain-value = <subdomain>
; defined in [RFC1034], Section 3.5, as ; defined in [RFC1034], Section 3.5, as
; enhanced by [RFC1123], Section 2.1 ; enhanced by [RFC1123], Section 2.1
path-av = "Path=" path-value path-av = "Path=" path-value
path-value = <any CHAR except CTLs or ";"> path-value = *av-octet
secure-av = "Secure" secure-av = "Secure"
httponly-av = "HttpOnly" httponly-av = "HttpOnly"
extension-av = <any CHAR except CTLs or ";"> extension-av = *av-octet
av-octet = %x20-3A / %x3C-7E
; any CHAR except CTLs or ";"
Note that some of the grammatical terms above reference documents Note that some of the grammatical terms above reference documents
that use different grammatical notations than this document (which that use different grammatical notations than this document (which
uses ABNF from [RFC5234]). uses ABNF from [RFC5234]).
The semantics of the cookie-value are not defined by this document. The semantics of the cookie-value are not defined by this document.
To maximize compatibility with user agents, servers that wish to To maximize compatibility with user agents, servers that wish to
store arbitrary data in a cookie-value SHOULD encode that data, for store arbitrary data in a cookie-value SHOULD encode that data, for
example, using Base64 [RFC4648]. example, using Base64 [RFC4648].
skipping to change at page 13, line 21 skipping to change at page 13, line 14
Note that the HttpOnly attribute is independent of the Secure Note that the HttpOnly attribute is independent of the Secure
attribute: a cookie can have both the HttpOnly and the Secure attribute: a cookie can have both the HttpOnly and the Secure
attribute. attribute.
4.2. Cookie 4.2. Cookie
4.2.1. Syntax 4.2.1. Syntax
The user agent sends stored cookies to the origin server in the The user agent sends stored cookies to the origin server in the
Cookie header. If the server conforms to the requirements in Section Cookie header. If the server conforms to the requirements in
4.1 (and the user agent conforms to the requirements in Section 5), Section 4.1 (and the user agent conforms to the requirements in
the user agent will send a Cookie header that conforms to the Section 5), the user agent will send a Cookie header that conforms to
following grammar: the following grammar:
cookie-header = "Cookie:" OWS cookie-string OWS cookie-header = "Cookie:" OWS cookie-string OWS
cookie-string = cookie-pair *( ";" SP cookie-pair ) cookie-string = cookie-pair *( ";" SP cookie-pair )
4.2.2. Semantics 4.2.2. Semantics
Each cookie-pair represents a cookie stored by the user agent. The Each cookie-pair represents a cookie stored by the user agent. The
cookie-pair contains the cookie-name and cookie-value the user agent cookie-pair contains the cookie-name and cookie-value the user agent
received in the Set-Cookie header. received in the Set-Cookie header.
skipping to change at page 14, line 39 skipping to change at page 14, line 32
1. Using the grammar below, divide the cookie-date into date-tokens. 1. Using the grammar below, divide the cookie-date into date-tokens.
cookie-date = *delimiter date-token-list *delimiter cookie-date = *delimiter date-token-list *delimiter
date-token-list = date-token *( 1*delimiter date-token ) date-token-list = date-token *( 1*delimiter date-token )
date-token = 1*non-delimiter date-token = 1*non-delimiter
delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E
non-delimiter = %x00-08 / %x0A-1F / DIGIT / ":" / ALPHA / %x7F-FF non-delimiter = %x00-08 / %x0A-1F / DIGIT / ":" / ALPHA / %x7F-FF
non-digit = %x00-2F / %x3A-FF non-digit = %x00-2F / %x3A-FF
day-of-month = 1*2DIGIT ( non-digit *OCTET ) day-of-month = 1*2DIGIT [ non-digit *OCTET ]
month = ( "jan" / "feb" / "mar" / "apr" / month = ( "jan" / "feb" / "mar" / "apr" /
"may" / "jun" / "jul" / "aug" / "may" / "jun" / "jul" / "aug" /
"sep" / "oct" / "nov" / "dec" ) *OCTET "sep" / "oct" / "nov" / "dec" ) *OCTET
year = 2*4DIGIT ( non-digit *OCTET ) year = 2*4DIGIT [ non-digit *OCTET ]
time = hms-time ( non-digit *OCTET ) time = hms-time [ non-digit *OCTET ]
hms-time = time-field ":" time-field ":" time-field hms-time = time-field ":" time-field ":" time-field
time-field = 1*2DIGIT time-field = 1*2DIGIT
2. Process each date-token sequentially in the order the date-tokens 2. Process each date-token sequentially in the order the date-tokens
appear in the cookie-date: appear in the cookie-date:
1. If the found-time flag is not set and the token matches the 1. If the found-time flag is not set and the token matches the
time production, set the found-time flag and set the hour- time production, set the found-time flag and set the hour-
value, minute-value, and second-value to the numbers denoted value, minute-value, and second-value to the numbers denoted
by the digits in the date-token, respectively. Skip the by the digits in the date-token, respectively. Skip the
remaining sub-steps and continue to the next date-token. remaining sub-steps and continue to the next date-token.
2. If the found-day-of-month flag is not set and the date-token 2. If the found-day-of-month flag is not set and the date-token
matches the day-of-month production, set the found-day-of- matches the day-of-month production, set the found-day-of-
skipping to change at page 16, line 22 skipping to change at page 16, line 17
5.1.3. Domain Matching 5.1.3. Domain Matching
A string domain-matches a given domain string if at least one of the A string domain-matches a given domain string if at least one of the
following conditions hold: following conditions hold:
o The domain string and the string are identical. (Note that both o The domain string and the string are identical. (Note that both
the domain string and the string will have been canonicalized to the domain string and the string will have been canonicalized to
lower case at this point.) lower case at this point.)
o All of the following conditions hold: o All of the following conditions hold:
o The domain string is a suffix of the string.
o The last character of the string that is not included in the * The domain string is a suffix of the string.
domain string is a %x2E (".") character. * The last character of the string that is not included in the
o The string is a host name (i.e., not an IP address). domain string is a %x2E (".") character.
* The string is a host name (i.e., not an IP address).
5.1.4. Paths and Path-Match 5.1.4. Paths and Path-Match
The user agent MUST use an algorithm equivalent to the following The user agent MUST use an algorithm equivalent to the following
algorithm to compute the default-path of a cookie: algorithm to compute the default-path of a cookie:
1. Let uri-path be the path portion of the request-uri if such a 1. Let uri-path be the path portion of the request-uri if such a
portion exists (and empty otherwise). For example, if the portion exists (and empty otherwise). For example, if the
request-uri contains just a path (and optional query string), request-uri contains just a path (and optional query string),
then the uri-path is that path (without the %x3F ("?") character then the uri-path is that path (without the %x3F ("?") character
skipping to change at page 16, line 50 skipping to change at page 16, line 46
the remaining steps. the remaining steps.
3. If the uri-path contains no more than one %x2F ("/") character, 3. If the uri-path contains no more than one %x2F ("/") character,
output %x2F ("/") and skip the remaining step. output %x2F ("/") and skip the remaining step.
4. Output the characters of the uri-path from the first character up 4. Output the characters of the uri-path from the first character up
to, but not including, the right-most %x2F ("/"). to, but not including, the right-most %x2F ("/").
A request-path path-matches a given cookie-path if at least one of A request-path path-matches a given cookie-path if at least one of
the following conditions holds: the following conditions holds:
o The cookie-path and the request-path are identical. o The cookie-path and the request-path are identical.
Note that this differs from the rules in [RFC3986] for equivalence
of the path component, and hence two equivalent paths can have
different cookies.
o The cookie-path is a prefix of the request-path, and the last o The cookie-path is a prefix of the request-path, and the last
character of the cookie-path is %x2F ("/"). character of the cookie-path is %x2F ("/").
o The cookie-path is a prefix of the request-path, and the first o The cookie-path is a prefix of the request-path, and the first
character of the request-path that is not included in the cookie- character of the request-path that is not included in the cookie-
path is a %x2F ("/") character. path is a %x2F ("/") character.
5.2. The Set-Cookie Header 5.2. The Set-Cookie Header
When a user agent receives a Set-Cookie header field in an HTTP When a user agent receives a Set-Cookie header field in an HTTP
response, the user agent MAY ignore the Set-Cookie header field in response, the user agent MAY ignore the Set-Cookie header field in
its entirety. For example, the user agent might wish to block its entirety. For example, the user agent might wish to block
responses to "third-party" requests from setting cookies (see Section responses to "third-party" requests from setting cookies (see
7.1). Section 7.1).
If the user agent does not ignore the Set-Cookie header field in its If the user agent does not ignore the Set-Cookie header field in its
entirety, the user agent MUST parse the field-value of the Set-Cookie entirety, the user agent MUST parse the field-value of the Set-Cookie
header field as a set-cookie-string (defined below). header field as a set-cookie-string (defined below).
NOTE: The algorithm below is more permissive than the grammar in NOTE: The algorithm below is more permissive than the grammar in
Section 4.1. For example, the algorithm strips leading and trailing Section 4.1. For example, the algorithm strips leading and trailing
whitespace from the cookie name and value (but maintains internal whitespace from the cookie name and value (but maintains internal
whitespace), whereas the grammar in Section 4.1 forbids whitespace in whitespace), whereas the grammar in Section 4.1 forbids whitespace in
these positions. User agents use this algorithm so as to these positions. User agents use this algorithm so as to
skipping to change at page 17, line 33 skipping to change at page 17, line 33
whitespace from the cookie name and value (but maintains internal whitespace from the cookie name and value (but maintains internal
whitespace), whereas the grammar in Section 4.1 forbids whitespace in whitespace), whereas the grammar in Section 4.1 forbids whitespace in
these positions. User agents use this algorithm so as to these positions. User agents use this algorithm so as to
interoperate with servers that do not follow the recommendations in interoperate with servers that do not follow the recommendations in
Section 4. Section 4.
A user agent MUST use an algorithm equivalent to the following A user agent MUST use an algorithm equivalent to the following
algorithm to parse a set-cookie-string: algorithm to parse a set-cookie-string:
1. If the set-cookie-string contains a %x3B (";") character: 1. If the set-cookie-string contains a %x3B (";") character:
1. The name-value-pair string consists of the characters up to, 1. The name-value-pair string consists of the characters up to,
but not including, the first %x3B (";"), and the unparsed- but not including, the first %x3B (";"), and the unparsed-
attributes consist of the remainder of the set-cookie-string attributes consist of the remainder of the set-cookie-string
(including the %x3B (";") in question). (including the %x3B (";") in question).
Otherwise: Otherwise:
2. The name-value-pair string consists of all the characters
1. The name-value-pair string consists of all the characters
contained in the set-cookie-string, and the unparsed- contained in the set-cookie-string, and the unparsed-
attributes is the empty string. attributes is the empty string.
2. If the name-value-pair string lacks a %x3D ("=") character, 2. If the name-value-pair string lacks a %x3D ("=") character,
ignore the set-cookie-string entirely. ignore the set-cookie-string entirely.
3. The (possibly empty) name string consists of the characters up 3. The (possibly empty) name string consists of the characters up
to, but not including, the first %x3D ("=") character, and the to, but not including, the first %x3D ("=") character, and the
(possibly empty) value string consists of the characters after (possibly empty) value string consists of the characters after
the first %x3D ("=") character. the first %x3D ("=") character.
4. Remove any leading or trailing WSP characters from the name 4. Remove any leading or trailing WSP characters from the name
string and the value string. string and the value string.
skipping to change at page 18, line 17 skipping to change at page 18, line 19
The user agent MUST use an algorithm equivalent to the following The user agent MUST use an algorithm equivalent to the following
algorithm to parse the unparsed-attributes: algorithm to parse the unparsed-attributes:
1. If the unparsed-attributes string is empty, skip the rest of 1. If the unparsed-attributes string is empty, skip the rest of
these steps. these steps.
2. Discard the first character of the unparsed-attributes (which 2. Discard the first character of the unparsed-attributes (which
will be a %x3B (";") character). will be a %x3B (";") character).
3. If the remaining unparsed-attributes contains a %x3B (";") 3. If the remaining unparsed-attributes contains a %x3B (";")
character: character:
1. Consume the characters of the unparsed-attributes up to, but 1. Consume the characters of the unparsed-attributes up to, but
not including, the first %x3B (";") character. not including, the first %x3B (";") character.
Otherwise: Otherwise:
2. Consume the remainder of the unparsed-attributes.
1. Consume the remainder of the unparsed-attributes.
Let the cookie-av string be the characters consumed in this step. Let the cookie-av string be the characters consumed in this step.
4. If the cookie-av string contains a %x3D ("=") character: 4. If the cookie-av string contains a %x3D ("=") character:
1. The (possibly empty) attribute-name string consists of the 1. The (possibly empty) attribute-name string consists of the
characters up to, but not including, the first %x3D ("=") characters up to, but not including, the first %x3D ("=")
character, and the (possibly empty) attribute-value string character, and the (possibly empty) attribute-value string
consists of the characters after the first %x3D ("=") consists of the characters after the first %x3D ("=")
character. character.
Otherwise: Otherwise:
2. The attribute-name string consists of the entire cookie-av
1. The attribute-name string consists of the entire cookie-av
string, and the attribute-value string is empty. string, and the attribute-value string is empty.
5. Remove any leading or trailing WSP characters from the attribute- 5. Remove any leading or trailing WSP characters from the attribute-
name string and the attribute-value string. name string and the attribute-value string.
6. Process the attribute-name and attribute-value according to the 6. Process the attribute-name and attribute-value according to the
requirements in the following subsections. (Notice that requirements in the following subsections. (Notice that
attributes with unrecognized attribute-names are ignored.) attributes with unrecognized attribute-names are ignored.)
7. Return to Step 1 of this algorithm. 7. Return to Step 1 of this algorithm.
When the user agent finishes parsing the set-cookie-string, the user When the user agent finishes parsing the set-cookie-string, the user
agent is said to "receive a cookie" from the request-uri with name agent is said to "receive a cookie" from the request-uri with name
skipping to change at page 19, line 42 skipping to change at page 19, line 49
5.2.3. The Domain Attribute 5.2.3. The Domain Attribute
If the attribute-name case-insensitively matches the string "Domain", If the attribute-name case-insensitively matches the string "Domain",
the user agent MUST process the cookie-av as follows. the user agent MUST process the cookie-av as follows.
1. If the attribute-value is empty, the behavior is undefined. 1. If the attribute-value is empty, the behavior is undefined.
However, the user agent SHOULD ignore the cookie-av entirely. However, the user agent SHOULD ignore the cookie-av entirely.
2. If the first character of the attribute-value string is %x2E 2. If the first character of the attribute-value string is %x2E
("."): ("."):
1. Let cookie-domain be the attribute-value without the leading 1. Let cookie-domain be the attribute-value without the leading
%x2E (".") character. %x2E (".") character.
Otherwise: Otherwise:
2. Let cookie-domain be the entire attribute-value.
1. Let cookie-domain be the entire attribute-value.
3. Convert the cookie-domain to lower case. 3. Convert the cookie-domain to lower case.
4. Append an attribute to the cookie-attribute-list with an 4. Append an attribute to the cookie-attribute-list with an
attribute-name of Domain and an attribute-value of cookie-domain. attribute-name of Domain and an attribute-value of cookie-domain.
5.2.4. The Path Attribute 5.2.4. The Path Attribute
If the attribute-name case-insensitively matches the string "Path", If the attribute-name case-insensitively matches the string "Path",
the user agent MUST process the cookie-av as follows. the user agent MUST process the cookie-av as follows.
1. If the attribute-value is empty or if the first character of the 1. If the attribute-value is empty or if the first character of the
skipping to change at page 20, line 12 skipping to change at page 20, line 19
4. Append an attribute to the cookie-attribute-list with an 4. Append an attribute to the cookie-attribute-list with an
attribute-name of Domain and an attribute-value of cookie-domain. attribute-name of Domain and an attribute-value of cookie-domain.
5.2.4. The Path Attribute 5.2.4. The Path Attribute
If the attribute-name case-insensitively matches the string "Path", If the attribute-name case-insensitively matches the string "Path",
the user agent MUST process the cookie-av as follows. the user agent MUST process the cookie-av as follows.
1. If the attribute-value is empty or if the first character of the 1. If the attribute-value is empty or if the first character of the
attribute-value is not %x2F ("/"): attribute-value is not %x2F ("/"):
1. Let cookie-path be the default-path. 1. Let cookie-path be the default-path.
Otherwise: Otherwise:
2. Let cookie-path be the attribute-value.
1. Let cookie-path be the attribute-value.
2. Append an attribute to the cookie-attribute-list with an 2. Append an attribute to the cookie-attribute-list with an
attribute-name of Path and an attribute-value of cookie-path. attribute-name of Path and an attribute-value of cookie-path.
5.2.5. The Secure Attribute 5.2.5. The Secure Attribute
If the attribute-name case-insensitively matches the string "Secure", If the attribute-name case-insensitively matches the string "Secure",
the user agent MUST append an attribute to the cookie-attribute-list the user agent MUST append an attribute to the cookie-attribute-list
with an attribute-name of Secure and an empty attribute-value. with an attribute-name of Secure and an empty attribute-value.
5.2.6. The HttpOnly Attribute 5.2.6. The HttpOnly Attribute
skipping to change at page 21, line 9 skipping to change at page 21, line 19
2. Create a new cookie with name cookie-name, value cookie-value. 2. Create a new cookie with name cookie-name, value cookie-value.
Set the creation-time and the last-access-time to the current Set the creation-time and the last-access-time to the current
date and time. date and time.
3. If the cookie-attribute-list contains an attribute with an 3. If the cookie-attribute-list contains an attribute with an
attribute-name of "Max-Age": attribute-name of "Max-Age":
1. Set the cookie's persistent-flag to true. 1. Set the cookie's persistent-flag to true.
2. Set the cookie's expiry-time to attribute-value of the last 2. Set the cookie's expiry-time to attribute-value of the last
attribute in the cookie-attribute-list with an attribute- attribute in the cookie-attribute-list with an attribute-
name of "Max-Age". name of "Max-Age".
Otherwise, if the cookie-attribute-list contains an attribute Otherwise, if the cookie-attribute-list contains an attribute
with an attribute-name of "Expires" (and does not contain an with an attribute-name of "Expires" (and does not contain an
attribute with an attribute-name of "Max-Age"): attribute with an attribute-name of "Max-Age"):
3. Set the cookie's persistent-flag to true.
4. Set the cookie's expiry-time to attribute-value of the last 1. Set the cookie's persistent-flag to true.
2. Set the cookie's expiry-time to attribute-value of the last
attribute in the cookie-attribute-list with an attribute- attribute in the cookie-attribute-list with an attribute-
name of "Expires". name of "Expires".
Otherwise: Otherwise:
5. Set the cookie's persistent-flag to false.
6. Set the cookie's expiry-time to the latest representable 1. Set the cookie's persistent-flag to false.
2. Set the cookie's expiry-time to the latest representable
date. date.
4. If the cookie-attribute-list contains an attribute with an 4. If the cookie-attribute-list contains an attribute with an
attribute-name iof "Domain": attribute-name iof "Domain":
1. Let the domain-attribute be the attribute-value of the last 1. Let the domain-attribute be the attribute-value of the last
attribute in the cookie-attribute-list with an attribute- attribute in the cookie-attribute-list with an attribute-
name of "Domain". name of "Domain".
Otherwise: Otherwise:
2. Let the domain-attribute be the empty string.
1. Let the domain-attribute be the empty string.
5. If the user agent is configured to reject "public suffixes" and 5. If the user agent is configured to reject "public suffixes" and
the domain-attribute is a public suffix: the domain-attribute is a public suffix:
1. If the domain-attribute is identical to the canonicalized 1. If the domain-attribute is identical to the canonicalized
request-host: request-host:
1. Let the domain-attribute be the empty string. 1. Let the domain-attribute be the empty string.
Otherwise: Otherwise:
2. Ignore the cookie entirely and abort these steps.
1. Ignore the cookie entirely and abort these steps.
NOTE: A "public suffix" is a domain that is controlled by a NOTE: A "public suffix" is a domain that is controlled by a
public registry, such as "com", "co.uk", and "pvt.k12.wy.us". public registry, such as "com", "co.uk", and "pvt.k12.wy.us".
This step is essential for preventing attacker.com from This step is essential for preventing attacker.com from
disrupting the integrity of example.com by setting a cookie with disrupting the integrity of example.com by setting a cookie with
a Domain attribute of "com". Unfortunately, the set of public a Domain attribute of "com". Unfortunately, the set of public
suffixes (also known as "registry controlled domains") changes suffixes (also known as "registry controlled domains") changes
over time. If feasible, user agents SHOULD use an up-to-date over time. If feasible, user agents SHOULD use an up-to-date
public suffix list, such as the one maintained by the Mozilla public suffix list, such as the one maintained by the Mozilla
project at http://publicsuffix.org/. project at http://publicsuffix.org/ .
6. If the domain-attribute is non-empty: 6. If the domain-attribute is non-empty:
1. If the canonicalized request-host does not domain-match the 1. If the canonicalized request-host does not domain-match the
domain-attribute: domain-attribute:
1. Ignore the cookie entirely and abort these steps. 1. Ignore the cookie entirely and abort these steps.
Otherwise: Otherwise:
2. Set the cookie's host-only-flag to false.
3. Set the cookie's domain to the domain-attribute. 1. Set the cookie's host-only-flag to false.
2. Set the cookie's domain to the domain-attribute.
Otherwise: Otherwise:
2. Set the cookie's host-only-flag to true. 1. Set the cookie's host-only-flag to true.
3. Set the cookie's domain to the canonicalized request-host. 2. Set the cookie's domain to the canonicalized request-host.
7. If the cookie-attribute-list contains an attribute with an 7. If the cookie-attribute-list contains an attribute with an
attribute-name of "Path", set the cookie's path to attribute- attribute-name of "Path", set the cookie's path to attribute-
value of the last attribute in the cookie-attribute-list with an value of the last attribute in the cookie-attribute-list with an
attribute-name of "Path". Otherwise, set the cookie's path to attribute-name of "Path". Otherwise, set the cookie's path to
the default-path of the request-uri. the default-path of the request-uri.
8. If the cookie-attribute-list contains an attribute with an 8. If the cookie-attribute-list contains an attribute with an
attribute-name of "Secure", set the cookie's secure-only-flag to attribute-name of "Secure", set the cookie's secure-only-flag to
true. Otherwise, set the cookie's secure-only-flag to false. true. Otherwise, set the cookie's secure-only-flag to false.
9. If the cookie-attribute-list contains an attribute with an 9. If the cookie-attribute-list contains an attribute with an
attribute-name of "HttpOnly", set the cookie's http-only-flag to attribute-name of "HttpOnly", set the cookie's http-only-flag to
skipping to change at page 25, line 33 skipping to change at page 26, line 17
of this document to recommend specific API designs, but there are of this document to recommend specific API designs, but there are
clear benefits to accepting an abstract "Date" object instead of a clear benefits to accepting an abstract "Date" object instead of a
serialized date string. serialized date string.
6.3. IDNA Dependency and Migration 6.3. IDNA Dependency and Migration
IDNA2008 [RFC5890] supersedes IDNA2003 [RFC3490]. However, there are IDNA2008 [RFC5890] supersedes IDNA2003 [RFC3490]. However, there are
differences between the two specifications, and thus there can be differences between the two specifications, and thus there can be
differences in processing (e.g., converting) domain name labels that differences in processing (e.g., converting) domain name labels that
have been registered under one from those registered under the other. have been registered under one from those registered under the other.
There will be a transition period of some time during which IDNA2003- There will be a transition period of some time during which
based domain name labels will exist in the wild. User agents SHOULD IDNA2003-based domain name labels will exist in the wild. User
implement IDNA2008 [RFC5890] and MAY implement [UTS46] or [RFC5895] agents SHOULD implement IDNA2008 [RFC5890] and MAY implement [UTS46]
in order to facilitate their IDNA transition. If a user agent does or [RFC5895] in order to facilitate their IDNA transition. If a user
not implement IDNA2008, the user agent MUST implement IDNA2003 agent does not implement IDNA2008, the user agent MUST implement
[RFC3490]. IDNA2003 [RFC3490].
7. Privacy Considerations 7. Privacy Considerations
Cookies are often criticized for letting servers track users. For Cookies are often criticized for letting servers track users. For
example, a number of "web analytics" companies use cookies to example, a number of "web analytics" companies use cookies to
recognize when a user returns to a web site or visits another web recognize when a user returns to a web site or visits another web
site. Although cookies are not the only mechanism servers can use to site. Although cookies are not the only mechanism servers can use to
track users across HTTP requests, cookies facilitate tracking because track users across HTTP requests, cookies facilitate tracking because
they are persistent across user agent sessions and can be shared they are persistent across user agent sessions and can be shared
between hosts. between hosts.
skipping to change at page 31, line 21 skipping to change at page 32, line 7
cookies. cookies.
8.7. Reliance on DNS 8.7. Reliance on DNS
Cookies rely upon the Domain Name System (DNS) for security. If the Cookies rely upon the Domain Name System (DNS) for security. If the
DNS is partially or fully compromised, the cookie protocol might fail DNS is partially or fully compromised, the cookie protocol might fail
to provide the security properties required by applications. to provide the security properties required by applications.
9. IANA Considerations 9. IANA Considerations
The permanent message header field registry (see [RFC3864]) has been The permanent message header field registry (see [RFC3864]) needs to
updated with the following registrations. be updated with the following registrations.
9.1. Cookie 9.1. Cookie
Header field name: Cookie Header field name: Cookie
Applicable protocol: http Applicable protocol: http
Status: standard Status: standard
Author/Change controller: IETF Author/Change controller: IETF
Specification document: this specification (Section 5.4) Specification document: this specification (Section 5.4)
9.2. Set-Cookie 9.2. Set-Cookie
Header field name: Set-Cookie Header field name: Set-Cookie
Applicable protocol: http Applicable protocol: http
Status: standard Status: standard
Author/Change controller: IETF Author/Change controller: IETF
Specification document: this specification (Section 5.2) Specification document: this specification (Section 5.2)
9.3. Cookie2
Header field name: Cookie2
Applicable protocol: http
Status: obsoleted
Author/Change controller: IETF
Specification document: [RFC2965]
9.4. Set-Cookie2
Header field name: Set-Cookie2
Applicable protocol: http
Status: obsoleted
Author/Change controller: IETF
Specification document: [RFC2965]
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>. <http://www.rfc-editor.org/info/rfc1034>.
[RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
Application and Support", STD 3, RFC 1123, DOI 10.17487/ Application and Support", STD 3, RFC 1123,
RFC1123, October 1989, DOI 10.17487/RFC1123, October 1989,
<http://www.rfc-editor.org/info/rfc1123>. <http://www.rfc-editor.org/info/rfc1123>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119,
RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, DOI 10.17487/ Transfer Protocol -- HTTP/1.1", RFC 2616,
RFC2616, June 1999, DOI 10.17487/RFC2616, June 1999,
<http://www.rfc-editor.org/info/rfc2616>. <http://www.rfc-editor.org/info/rfc2616>.
[RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
"Internationalizing Domain Names in Applications (IDNA)", "Internationalizing Domain Names in Applications (IDNA)",
RFC 3490, DOI 10.17487/RFC3490, March 2003, RFC 3490, DOI 10.17487/RFC3490, March 2003,
<http://www.rfc-editor.org/info/rfc3490>. <http://www.rfc-editor.org/info/rfc3490>.
[RFC4790] Newman, C., Duerst, M., and A. Gulbrandsen, "Internet [RFC4790] Newman, C., Duerst, M., and A. Gulbrandsen, "Internet
Application Protocol Collation Registry", RFC 4790, Application Protocol Collation Registry", RFC 4790,
DOI 10.17487/RFC4790, March 2007, DOI 10.17487/RFC4790, March 2007,
<http://www.rfc-editor.org/info/rfc4790>. <http://www.rfc-editor.org/info/rfc4790>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/ Specifications: ABNF", STD 68, RFC 5234,
RFC5234, January 2008, DOI 10.17487/RFC5234, January 2008,
<http://www.rfc-editor.org/info/rfc5234>. <http://www.rfc-editor.org/info/rfc5234>.
[RFC5890] Klensin, J., "Internationalized Domain Names for [RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework", Applications (IDNA): Definitions and Document Framework",
RFC 5890, DOI 10.17487/RFC5890, August 2010, RFC 5890, DOI 10.17487/RFC5890, August 2010,
<http://www.rfc-editor.org/info/rfc5890>. <http://www.rfc-editor.org/info/rfc5890>.
[USASCII] Institute, A., "Coded Character Set -- 7-bit American [USASCII] Institute, A., "Coded Character Set -- 7-bit American
Standard Code for Information Interchange", 1986, <ANSI Standard Code for Information Interchange", 1986, <ANSI
X3.4>. X3.4>.
10.2. Informative References 10.2. Informative References
[Aggarwal2010] [Aggarwal2010]
Aggarwal, G., Burzstein, E., Jackson, C., and D. Boneh, Aggarwal, G., Burzstein, E., Jackson, C., and D. Boneh,
"An Analysis of Private Browsing Modes in Modern "An Analysis of Private Browsing Modes in Modern
Browsers", 2010, <http://www.usenix.org/events/sec10/tech/ Browsers", 2010,
full_papers/Aggarwal.pdf>. <http://www.usenix.org/events/sec10/tech/full_papers/
Aggarwal.pdf>.
[CSRF] Barth, A., Jackson, C., and J. Mitchell, "Robust Defenses [CSRF] Barth, A., Jackson, C., and J. Mitchell, "Robust Defenses
for Cross-Site Request Forgery", 2008, for Cross-Site Request Forgery", 2008,
<http://portal.acm.org/citation.cfm?id=1455770.1455782>. <http://portal.acm.org/citation.cfm?id=1455770.1455782>.
[Kri2001] Kristol, D., "HTTP Cookies: Standards, Privacy, and [Kri2001] Kristol, D., "HTTP Cookies: Standards, Privacy, and
Politics", ACM ACM Transactions on Internet Technology Politics", ACM ACM Transactions on Internet Technology
Vol. 1, #2, November 2001, Vol. 1, #2, November 2001,
<http://arxiv.org/abs/cs.SE/0105018>. <http://arxiv.org/abs/cs.SE/0105018>.
[Netscape] [Netscape]
Corp., N., "Persistent Client State -- HTTP Cookies", Corp., N., "Persistent Client State -- HTTP Cookies",
1999, <http://web.archive.org/web/20020803110822/http:// 1999, <http://web.archive.org/web/20020803110822/http://wp
wp.netscape.com/newsref/std/cookie_spec.html>. .netscape.com/newsref/std/cookie_spec.html>.
[RFC2109] Kristol, D. and L. Montulli, "HTTP State Management [RFC2109] Kristol, D. and L. Montulli, "HTTP State Management
Mechanism", RFC 2109, DOI 10.17487/RFC2109, February 1997, Mechanism", RFC 2109, DOI 10.17487/RFC2109, February 1997,
<http://www.rfc-editor.org/info/rfc2109>. <http://www.rfc-editor.org/info/rfc2109>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, DOI 10.17487/ [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<http://www.rfc-editor.org/info/rfc2818>. <http://www.rfc-editor.org/info/rfc2818>.
[RFC2965] Kristol, D. and L. Montulli, "HTTP State Management [RFC2965] Kristol, D. and L. Montulli, "HTTP State Management
Mechanism", RFC 2965, DOI 10.17487/RFC2965, October 2000, Mechanism", RFC 2965, DOI 10.17487/RFC2965, October 2000,
<http://www.rfc-editor.org/info/rfc2965>. <http://www.rfc-editor.org/info/rfc2965>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
November 2003, <http://www.rfc-editor.org/info/rfc3629>. 2003, <http://www.rfc-editor.org/info/rfc3629>.
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
Procedures for Message Header Fields", BCP 90, RFC 3864, Procedures for Message Header Fields", BCP 90, RFC 3864,
DOI 10.17487/RFC3864, September 2004, DOI 10.17487/RFC3864, September 2004,
<http://www.rfc-editor.org/info/rfc3864>. <http://www.rfc-editor.org/info/rfc3864>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<http://www.rfc-editor.org/info/rfc3986>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<http://www.rfc-editor.org/info/rfc4648>. <http://www.rfc-editor.org/info/rfc4648>.
[RFC5895] Resnick, P. and P. Hoffman, "Mapping Characters for [RFC5895] Resnick, P. and P. Hoffman, "Mapping Characters for
Internationalized Domain Names in Applications (IDNA) Internationalized Domain Names in Applications (IDNA)
2008", RFC 5895, DOI 10.17487/RFC5895, September 2010, 2008", RFC 5895, DOI 10.17487/RFC5895, September 2010,
<http://www.rfc-editor.org/info/rfc5895>. <http://www.rfc-editor.org/info/rfc5895>.
[RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
DOI 10.17487/RFC6265, April 2011,
<http://www.rfc-editor.org/info/rfc6265>.
[UTS46] Davis, M. and M. Suignard, "Unicode IDNA Compatibility [UTS46] Davis, M. and M. Suignard, "Unicode IDNA Compatibility
Processing", UNICODE Unicode Technical Standards # 46, Processing", UNICODE Unicode Technical Standards # 46,
2010, <http://unicode.org/reports/tr46/>. 2010, <http://unicode.org/reports/tr46/>.
Appendix A. Acknowledgements Appendix A. Changes since draft-ietf-httpbis-rfc6265bis-00
o Fixes to formatting caused by mistakes in the initial port to
Markdown:
* https://github.com/httpwg/http-extensions/issues/243
o -01 addresses errata 3444 by updating the "path-value" and
"extension-av" grammar, errata 4148 by updating the "day-of-
month", "year", and "time" grammar, and errata 3663 by adding the
requested note. https://www.rfc-editor.org/
errata_search.php?rfc=6265
Appendix B. Acknowledgements
This document is a minor update of RFC 6265, adding small features, This document is a minor update of RFC 6265, adding small features,
and aligning the specification with the reality of today's and aligning the specification with the reality of today's
deployments. Here, we're standing upon the shoulders of giants. deployments. Here, we're standing upon the shoulders of giants.
Authors' Addresses Authors' Addresses
Adam Barth Adam Barth
Google, Inc Google, Inc
 End of changes. 64 change blocks. 
138 lines changed or deleted 204 lines changed or added

This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/